by John Bandler
Practice, or action, is what organizations do. Good organizations do the right thing to accomplish the mission and comply with legal requirements, but this is easier said than done. Practice is one of the Five Components for Policy Work, so let's put it in context of policies, procedures, law, cybersecurity, privacy, and management.
And especially in the context of information security and internal rules. We can create rules and practices that help the organization do the right thing, protect the organization, comply with legal requirements, and better achieve its mission.
What should the practice be?
Organization practice is the conduct by individuals and the organization in general and they should:
- Help accomplish the mission of the organization (serve customers and clients, earn revenue, etc.)
- Keep it secure from external threats (including cybercrime)
- Keep it in compliance with external rules (laws and regulations)
- Be in compliance with the organization's internal rules (policies and procedures).
The Five Components for Policy Work: Three became four and then five
My Five Components for Policy Work includes:
- Mission and business needs
- External rules: Laws and regulations
- Internal rules: Policies, procedures, and more
- Practice or action: what is actually done
- External guidance.
I started with Three Platforms to Connect for compliance to visualize how legal requirements, internal policy, and organization practice should align.
Then I introduced mission and business needs as the Fourth Platform. We want those four platforms to be in alignment as well.
Finally I added the concept of "External Guidance" as a bubbly cloud. We incorporate expertise and experience to guide us in the creation of our internal rules.
What is different about practice from the other components?
Action is where the rubber meets the road. It is where things get done. The entire purpose of internal rules is to properly influence action. Policies should not be for "show", but living valid documents that are helpful and followed.
Thus, in our five components diagram, we see that all of the arrows feed indirectly or directly into the Practice platform. This platform is in many ways the star of the show. If the organization fails to perform, or performs poorly or improperly, that is a failure of practice.
Also, Practice is the only component with arrows going both ways. While the primary purpose of internal rules is to properly influence organization action, internal rules also need to assess and consider current practice. Good current practices might need to be reinforced within written rules. Poor current practices can be changed through written rules which instruct on proper action and prohibit improper action.
When practice is not what it should be
There are a number of instances where practice is not what it should be. All of us have worked in organizations and seen inefficiencies and maybe even improper actions of some type. Even excellent organizations are never perfect, and work to continually improve. Some organizations fall very short, and there may be many reasons for these failures, but internal rules play an important role to assess what should be done and directing conduct.
It is a problem when organizations have pretend rules "on paper" but apply vastly different rules for conduct. Causes and symptoms of this problem include statements like this:
- We have good policies on paper, but we don't really follow them.
- I know that's what the policy/procedure says to do, but here's how we really do it.
- I know the policy says it is currently effective, but it really isn't yet.
- John Doe is the security and privacy officer on paper, but doesn't really have time to deal with it, so no one is really in charge.
- Our policy says we will have these security measures, but it can't be a priority for us yet.
- We need to get a policy in place today so we have it and can show [insert name]. But we don’t really need to follow it.
Practice, or action, of an organization and its members is where the rubber meets the road. Ideally, action is proper and helps achieve the mission, protect the organization, and keep it in compliance with internal rules and external rules.
This article is (of course) not tailored to your circumstances, nor is it legal or consulting advice.
If your organization needs help with improving its internal documentation and compliance with external rules, including regarding cybersecurity and protecting from cybercrime, feel free to contact me.
- Five Components for Policy Work
- External Rules (laws, regulations, contracts, etc.)
- Internal Rules for organizations
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Policy and Procedure Research
- Policies and Procedures (and other governance documents)
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Internal Rules Planning
- Internal Rules Building
- Policy Project Planning and Execution
- External Guidance
- Business needs and mission
- Practice and action (this article)
- John's forthcoming work at the Infosec Institute on Corporate Security Policies (coming soon). Link to my author page at Infosec.
This article is hosted at https://johnbandler.com/practice-action, copyright John Bandler, all rights reserved.
This article is also available on Medium.com at https://johnbandler.medium.com/practice-action-54385d7e7831 (though not kept as up to date).
Originally posted 12/23/2022, updated 1/9/2023.